Comments on: Apache Darkleech Compromiseshttps://blogs.cisco.com/security/apache-darkleech-compromises
Fri, 18 Aug 2017 04:37:38 +0000hourly1By: Ruchira Sahanhttps://blogs.cisco.com/security/apache-darkleech-compromises#comment-740195
Thu, 23 May 2013 08:33:28 +0000http://blogs.cisco.com/?p=108358#comment-740195It seems that darkleech attacks are increasing on a rapid phase. Time to update the servers
]]>By: Mary Landesmanhttps://blogs.cisco.com/security/apache-darkleech-compromises#comment-721916
Fri, 19 Apr 2013 13:48:34 +0000http://blogs.cisco.com/?p=108358#comment-721916@Yep: The iPhone log is a crash report that has nothing whatsoever to do with the DarkLeech infections discussed in the blog post.
]]>By: Yephttps://blogs.cisco.com/security/apache-darkleech-compromises#comment-721860
Fri, 19 Apr 2013 10:20:19 +0000http://blogs.cisco.com/?p=108358#comment-721860Yeah can someone please comment on the iPhone log post above? I Have to say I had the identical conclusion but freely admit my knowledge in the area to be sorely lacking and am unable determine its validity, so if someone who is cool like that could please elaborate I would be so damn happy
]]>By: Zooeyhttps://blogs.cisco.com/security/apache-darkleech-compromises#comment-717995
Fri, 12 Apr 2013 22:28:28 +0000http://blogs.cisco.com/?p=108358#comment-717995Mind you I only have two apps and I only use the mobile for texting with my BFF… However, I tried to upload to the virus scan, but my cyberstalker will not allow it…. Keeps rdr me out of the pg.
]]>By: Zooey Glasshttps://blogs.cisco.com/security/apache-darkleech-compromises#comment-717993
Fri, 12 Apr 2013 22:25:28 +0000http://blogs.cisco.com/?p=108358#comment-717993Incident Identifier: 03FD5244-9C0E-41F5-A10B-F6F17E9D51BA
CrashReporter Key: c699790ed660939fb4f24fcafa8c4b888520d272
Hardware Model: iPhone4,1
Process: MobileMail [93]
Path: /Applications/MobileMail.app/MobileMail
Identifier: MobileMail
Version: ??? (???)
Code Type: ARM (Native)
Parent Process: launchd [1]

THIS IS HOW THEY INFECTING IOS 4S….
Is been most difficult to find assistance, but I hope that this info helps the good people defend us… I’m not sure it this will help you, but infected I am. Is difficult to find help when everybody keeps on telling me is impossible for an iPhone to be hacked or phreak … I beg to differ…

]]>By: Zooeyhttps://blogs.cisco.com/security/apache-darkleech-compromises#comment-717985
Fri, 12 Apr 2013 22:14:59 +0000http://blogs.cisco.com/?p=108358#comment-717985I will be glad to post… I thought I had submitted it with my previous posting but I have a cyberstalker that rules my moves…. I have more Trojans than Helen… The malware is beyond anything I have previously seen…. And very well hidden…
]]>By: megahosthttps://blogs.cisco.com/security/apache-darkleech-compromises#comment-715824
Mon, 08 Apr 2013 13:22:19 +0000http://blogs.cisco.com/?p=108358#comment-715824is this realy related to the SSHD Rootkit described at http://www.webhostingtalk.com/showthread.php?t=1235797&page=97 ?
i thought that was the end of it but it looks we have to see more.
we haven’t been infected but this is making us enforcing our security policies even more. advisable for everyone in fact. never use root passwords, use SSH keys on non-standard SSH ports !
]]>By: Ejikeme Princelyhttps://blogs.cisco.com/security/apache-darkleech-compromises#comment-715019
Sat, 06 Apr 2013 15:48:51 +0000http://blogs.cisco.com/?p=108358#comment-715019Good and great post
]]>By: Tony Wrighthttps://blogs.cisco.com/security/apache-darkleech-compromises#comment-714165
Thu, 04 Apr 2013 18:45:36 +0000http://blogs.cisco.com/?p=108358#comment-714165Hi Mary,
Sent this stuff to DanG and would have sent it privately but couldn’t find an email address I was sure would work.
Some further information about how bads guys are getting root on these web servers.
In Jan – Feb 13 there was a spate of web servers sending out spam. Turned out they had been rooted via SSHD and were sending out spam (I know Darkleech is serving web pages but once you have root you can choose your tool).

There was also the cPanel compromise (ARS passim) wherein a tech support workstation got infected which was able to compromise the proxy server the workstation was sat behind and lots of people who had given cPanel Support SSH passwords got their servers compromised in the same way — libkeyutils library.

But lots of machines without cPanel were getting infected the same way so how?
WebHostingTalk did a lot of investigation into this (it’s 97 pages) and the following points emerged (Igor Seletskiy of Cloudlinux and Steven Ciaburri participated extensively):
— Those servers where SSH keys were used to login and SSH passwords were disabled didn’t get infected.
— Those servers where SSH login was restricted to a particular set of IP addresses didn’t get infected.
— Other than that it didn’t matter what kind of Linux you used or which web server (Apache,NGinx, etc.) — but the BSDs were unaffected and they use a different SSH mechanism.
— Their conclusion is that the workstations used to login to the web servers over SSH were infected with a trojan/keystroke logger. (They actually found a workstation which was used to SSH into the web server and discovered the keylogger). They also observed a malicious SSH login while it was going on.

Meanwhile Bojan Zdrnja at ISC has also been investigating this and finds similarities with the Ebury Trojan of 2011 — he thinks a large part of the Ebury code is re-used but there is a crucial difference: in Ebury it patched the whole SSHD which made it easier to discover and was vulnerable to
being over-written during routine patching. The libkeyutils library is not changed that often so much less chance of being over-written.